Category: Reverse Engineering Points: ??? Solved By: Apicius
Challenge
After escaping galactic federal prison, you (the legendary Rick Sanchez) have just given yourself Level 9 access to the federation headquarters. Now, you must break into their computer systems and find a way to topple the galactic government.
Author: monkey_noises
Files: galactic_federation.bin
Solution
When this program is opened we first get a login page. Guess I need to check if passwords are coded into the binary...
Opening it in Ghidra, we can see the username and password hardcoded in the binary as strings, with a simple obfuscate function running on it in order to make it slightly more annoying to steal.
#include <stdio.h>
#include <string.h>
int main() {
char password[] = "hktpu";
for (int i = 0; i < strlen(password); i++) {
char out = password[i]-'\a';
printf("%c", out);
}
}
I rewrote the inverse of the simple obfuscate in C, and got the username and password from it:
username: admin
password: 1_l0v3_wR4ngL3r_jE4nS
With this username and password we can start our search for the flag. Theres a fairly suspicious function called collapse_economy(), and that seems to be what we want to get. The function where collapse_economy() is called checks for two conditions: that the value of the currency is 0, and that the currency is called "usd."
The line currency = currency + (local_60/100) * currency
can be easily taken advantage of by just passing -100 in as our variable so that it sets the currency to be currency + -currency. Then, in another portion of the admin console we can simply change the currency type to USD. We're then given the flag after we collapse the economy.
Flag: shctf{w4it_uH_wh0s_P4y1Ng_m3_2_y3L1_@_tH15_gUy?}